Right now, there’s an honest chance your mobile phone is tracking your location—even with GPS services turned off. That’s because, to receive service, our phones reveal personal identifiers to cell towers owned by major network operators. This has led to vast and largely unregulated data-harvesting industries based around selling users’ location data to 3rd parties without consent.
For the 1st time, researchers at the University of Southern California (USC) Viterbi School of Engineering and Princeton University have found how to prevent this privacy breach using existing cellular networks. The new system, presented at USENIX Security conference on Aug. 11, protects users’ mobile privacy while providing normal mobile connectivity.
The new architecture, called “Pretty Good Phone Privacy” or PGPP, decouples phone connectivity from authentication & billing by anonymizing personal identifiers sent to cell towers. The software-based solution, described by the researchers as an “architecture change,” doesn’t alter cellular network hardware.
“We’ve unwittingly accepted that our phones are tracking devices in disguise, but so far we’ve had no other option—using mobile devices meant accepting this tracking,” said study co-author Barath Raghavan, an professor in computing at USC. “We found out the way to decouple authentication from connectivity and ensure privacy while maintaining seamless connectivity, and it’s all wiped out software.”
Decoupling Authentication & Phone Connectivity
Currently, for your phone to figure , the network has got to know your location and identify you as paying customer. As such, both your identity and site data are tracked by the device at all-time. Data brokers and major operators have taken advantage of this technique to profit off revealing sensitive user data—to date, within the US, there are not any federal laws restricting the utilization of location data.
“Today, whenever your phone is receiving or sending data, radio signals go from your phone to the cell tower, then into network,” said Raghavan. “The networks can scoop all that data and sell it to companies or information-for-hire middlemen. albeit you stop apps tracking your location, the phone still talks to the tower, which suggests the carrier knows where you’re . Until now, it appeared like a fundamental thing we could never get around.”
But Raghavan, with study co-author Paul Schmitt who recently joined USC’s Information Sciences Institute from Princeton University , found a way: They decoupled what’s referred to as authentication—who you are—from your phone connectivity. The key finding: there’s no reason why your personal identifier has got to grant you network connectivity.
Their new system works by breaking the direct line of communication between the user’s cellphone and therefore the cell tower. rather than sending a personally identifiable signal to the cell tower, it sends an anonymous “token.” It does this by employing a mobile virtual network operator, like Cricket or Boost, as a proxy or intermediary.
“The key is—if you would like to be anonymous, how do they know you are a paying customer?” said Raghavan. “In the protocol we developed, the user pays the bills, and gets a cryptographically signed token from the provider, which is anonymous. Now the identity during a specific location is separated from the very fact that there’s a phone at that location.”
The duo, who have launched a startup called Invisv, prototyped and tested everything with real phones within the lab. Crucially, their approach adds almost zero latency and doesn’t introduce new bottlenecks, avoiding performance and scalability problems of other anonymity networks. The service could handle tens of-million users on one server & would be deployed seamlessly to customers through the network operator.
Since the system works by stopping a phone from identifying its user to the cell tower, all other location-based services—such as checking out the closest gasoline station , or contact tracing—still work as was common . The researchers hope the technology are going to be accepted by major networks as default, particularly with mounting legal pressure to adopt new privacy measures.
“For 1st time in human history, almost every single person on the earth are often tracked in real-time,” said Raghavan. “Until now, we had to only silently accept this loss of control over our own data—we believe this new measure will help to revive a number of that control.”
The findings were published on ARXIV.